Re: SnmpTargetAddress - SNMP

This is a discussion on Re: SnmpTargetAddress - SNMP ; Joan Landry wrote:
>>> Ah! So this is not about the snmpTargetAddrTable at all,
> really. The question you >>wanted to ask was, "Does net-snmp support
> the community MIBs?" The answer is, "Net-snmp does not support the
> community ...

Re: SnmpTargetAddress

Joan Landry wrote:
>>> Ah! So this is not about the snmpTargetAddrTable at all,
> really. The question you >>wanted to ask was, "Does net-snmp support
> the community MIBs?" The answer is, "Net-snmp does not support the
> community MIBs." If you want to restrict the source address of v1 or
> v2c requests, I direct your attention again to the com2sec directive of
> the snmpd.conf file. If you want actual security, I direct your
> attention again to v3/USM/VACM.
>
> Actually I am really looking to solve one problem.
>
> I want to have a V3 secure box, where v2 access is allowed to only a
> select group of stations.

Is there any reason why you can't use the SOURCE field of com2sec? I've
seen setups that need to access the agent for a command line interface,
where the community name is restricted to 'localhost'. It gets us most
of the required information (MIBs we need for these commands are in the
default context) using the insecure v2c community string, but that
string is only accessible via localhost.

If you know the IP addresses or hostnames of the stations, you can set
them up in your snmpd.conf. If you want those stations to use a v3 user
to set it up, and after that they use v2c, I think you are out of luck.

com2sec [-Cn CONTEXT] SECNAME SOURCE COMMUNITY
com2sec6 [-Cn CONTEXT] SECNAME SOURCE COMMUNITY
map an SNMPv1 or SNMPv2c community string to a security name -
either from a particular range of source addresses, or globally
("default"). A restricted source can either be a specific hostname (or
address), or a subnet - represented as IP/MASK (e.g.
10.10.10.0/255.255.255.0), or IP/BITS (e.g. 10.10.10.0/24), or the IPv6
equivalents.
The same community string can be specified in several separate
directives (presumably with different source tokens), and the first
source/community combination that matches the incoming request will be
selected. Various source/community combinations can also map to the same
security name.
If a CONTEXT is specified (using -Cn), the community string will be
mapped to a security name in the named SNMPv3 context. Otherwise the
default context ("") will be used.